Annex 1 (Integrated frameworks on Business/IT alignment) Annex 2 Goals Cascade, adapted from COBIT5

Transcription

1 Annex (Integrated frameworks on Business/IT alignment) Annex 2 Goals Cascade, adapted from COBIT5

2 Annex 2 RACI chart for EDM0, Retrieved from COBIT5 Description: R Responsible The one(s) who performs the activit A Accountable The one with decision authority C Consulted The one(s) who give input I Informed Entity(ies) who receive information Annex 3 Enablers from COBIT5 # Enabler Description Principles, policies, and frameworks Turn desired behaviors into practical directions to management 2 Processes Composed by a set of activities/practices to produce a certain output 3 Organizational structures Key decision making bodies 4 Culture, ethics, and behavior Beliefs, morals, and customs of the members of the company 5 Information Includes all the information produced and used by the enterprise 6 Services, infrastructure, and applicatit processing and services 7 People, skills, and competencies eeded to perform activities, make decisions, and take corrective actions

3 Annex 4 Complete list of COBIT s processes Area Domain Process EDM EDM2 EDM EDM EDM3 EDM4 EDM5 APO APO2 APO3 APO4 APO5 APO6 APO APO7 APO8 APO9 APO0 APO APO2 APO3 BAI BAI2 PBRM BAI3 BAI4 BAI5 BAI BAI6 BAI7 BAI8 BAI9 BAI0 DSS DSS2 DSS3 DSS DSS6 DSS5 DSS6 MEA MEA MEA2 MEA3 Description Set and Maintain the Governance Framework Ensure Value Optimization Ensure Risk Optimization Ensure Resource Optimization Ensure Stakeholder Transparency Define the Management Framework for IT Manage Strategy Manage Enterprise Architecture Manage Innovation Manage Portfolio Manage Budget and Cost Manage Human Resources Manage Relationships Manage Service Agreements Manage Suppliers Manage Quality Manage Risk Manage Security Manage Programs and Projects Define Requirements Identify and Build Solutions Manage Availability and Capacity Manage Organizational Change Enablement Manage Changes Manage Change Acceptance and Transitioning Manage Knowledge Manage Assets Manage Configuration Manage Operations Manage Service Requests and Incidents Manage Problems Manage Continuity Manage Security Services Manage Business Process Controls MEA Performance and Conformance MEA the System of Internal Control MEA Compliance with External Requirements

4 Annex 5 5 principles of COBIT5 # Principle Meeting Stakeholders' eeds Goals Cascade 2 Covering the Enterprise End-to-end RACI charts Point of reference 3 Applying a single, integrated framework Integrates previous ISACA s frameworks, the latest standards and frameworks, and offers GEIT and management best practices 4 Enabling a holistic approach Enablers 5 Separating Governance from Management Division of processes in two domains, EDM and PBRM Annex 6 Implementation Cycle, Retrieved from COBIT 5 implementation Guide Annex 7 Processes Capability Assessment (COBIT S PAM) # Capability level # Process Attributes Process Capability Incomplete 0 - The purpose is not achieved; non-implemented process. 2 Performed Process Performance The purpose is achieved 2 Performance Management 3 Managed The purpose is achieved, and the process is managed (planned, monitored, adjusted) 3 Work product Management 4 Process Definition 4 Established Implementation of the managed process 5 Process Deployment 6 Process Measurement 5 Predictable The established process is confined to attaining its specified objectives 7 Process Control 8 Process Innovation 6 Optimizing Continuous improvement of the process to meet current and future enterprise goals 9 Process Optimization

5 Annex 8 PAM s application to APO0, step : APO0 Level 0 Incomplete Level Performed Level 2 Managed Level 3 Established Define the Management Framework for IT Purpose Provide a consistent management approach to enable the enterprise governance requirements to be met, covering management processes, organisational structures, roles and responsibilities, reliable and repeatable activities, and skills and competencies. Assess whether the following outcomes are achieved. The process is not implemented, or fails to achieve its process purpose. PA. The implemented process achieves its process PA 2. Performance Management - A measure of the extent to which the performance of the process is managed. PA 2.2 Work Product Management - A measure of the extent to which the work products produced by the process are appropriately managed. The work products (or outputs from the process) are defined and controlled. PA 3. Process Definition - A measure of the extent to which a standard process is maintained to support the deployment of the defined process. ~ PA 3.2 Process Deployment - A measure of the extent to which the standard process is effectively deployed as a defined process to achieve its process outcomes. Criteria Criteria Are Met / Comment ot achieved (0-5%) Partially Achieved (5% -50%) Largely Achieved (50% - 85%) At this level, there is little or no evidence of any achievement of the process purpose. The following process outcomes are being achieved: APO0-O An effective set of policies is defined and maintained. APO-O2 Everyone is aware of the policies and how they should be implemented. a) Objectives for the performance of the process are identified. b) Performance of the process is planned and monitored. c) Performance of the process is adjusted to meet plans. d) Responsibilities and authorities for performing the process are defined, assigned and communicated. e) Resources and information necessary for performing the process are identified, made available, allocated and used. f) Interfaces between the involved parties are managed to ensure both effective communication and also clear assignment of responsibility. a) Requirements for the work products of the process are defined. b) Requirements for documentation and control of the work products are defined. c) Work products are appropriately identified, documented, and controlled. d) Work products are reviewed in accordance with planned arrangements and adjusted as necessary to meet requirements. a) A standard process, including appropriate tailoring guidelines, is defined that describes the fundamental elements that must be incorporated into a defined process. b) The sequence and interaction of the standard process with other processes is determined. c) Required competencies and roles for performing a process are identified as part of the standard process. d) Required infrastructure and work environment for performing a process are identified as part of the standard process. e) Suitable methods for monitoring the effectiveness and suitability of the process are determined. a) A defined process is deployed based upon an appropriately selected and/or tailored standard process. b) Required roles, responsibilities and authorities for performing the defined process are assigned and communicated. Overall rating for the process Fully Achieved (85-00%) c) Personnel performing the defined process are competent on the basis of appropriate education, training, and experience. d) Required resources and information necessary for performing the defined process are made available, allocated and used. e) Required infrastructure and work environment for performing the defined process are made available, managed and maintained. Level 4 Predictable PA 4. Process Measurement - A measure of the extent to which measurement results are used to ensure that performance of the process supports the achievement of relevant process performance objectives in support of defined business goals. f) Appropriate data are collected and analysed as a basis for understanding the behaviour of, and to demonstrate the suitability and effectiveness of the process, and to evaluate where continuous improvement of the process can be made. a) Process information needs in support of relevant defined business goals are established. b) Process measurement objectives are derived from process information needs. c) Quantitative objectives for process performance in support of relevant business goals are established. d) Measures and frequency of measurement are identified and defined in line with process measurement objectives and quantitative objectives for process performance. e) Results of measurement are collected, analysed and reported in order to monitor the extent to which the quantitative objectives for process performance are met. f) Measurement results are used to characterise process performance. Level 5 Optimizing. PA 4.2 Process Control - A measure of the extent to which the process is quantitatively managed to produce a process that is stable, capable and predictable within defined limits. PA 5. Process innovation - A measure of the extent to which changes to the process are identified from analysis of common causes of variation in performance, and from investigations of innovative approaches to the definition and deployment of the process. a) Analysis and control techniques are determined and applied where applicable. b) Control limits of variation are established for normal process performance. c) Measurement data are analysed for special causes of variation. d) Corrective actions are taken to address special causes of variation. e) Control limits are re-established (as necessary) following corrective action. a) Pprocess improvement objectives for the process are defined that support the relevant business goals. b) Appropriate data are analysed to identify common causes of variations in process performance. c) Appropriate data are analysed to identify opportunities for best practice and innovation.

6 Step 2: consolidation of the previous table. For each specified level, the company must assess if the criteria is met or not, and what is the respective rating (, P, L, F). As previously explained, it is only possible to move on to the next level if the current one possesses a rating level either of L or F. Process ame Level 0 Level Level 2 Level 3 Level 4 Level 5 Rating by Criteria F F L L P Capability Level 2 Annex 9 Primary findings from the study made of inputs and outputs in COBIT5. When considering the sub-processes instead of processes, it was possible to see that the number of times a process is used as an input is greater than the number of times the same process is an output (Table ). This is helpful when implementing the framework since it makes it easier to identify which processes to start from. Processes that serve more times as inputs should be implemented first, as they provide foundation for subsequent processes. The effect is lost when considering processes rather than sub-processes (Table 2). Table Table 2 Subprocesses # of times the process is an input # of times the process is an output Comment Processes # of times the process is an input # of times the process is an output Comment APO OK BAI OT OK MEA OK BAI OT OK MEA OK MEA OK MEA OK APO OK MEA OK BAI OT OK APO OK DSS OT OK MEA OK DSS OT OK MEA OK APO OK MEA OK DSS OT OK APO OK BAI OT OK APO OK APO07 28 OT OK APO OK APO OT OK APO OK APO OT OK APO OK DSS06 5 OT OK APO OK APO0 553 OK MEA OK APO OT OK MEA OK APO OT OK APO OK APO OT OK

7 Annex 9 Mapping of IT-related goals to processes (figure 8) Step ; and Mapping of Enterprise goals to IT-Related goals (figure 7) Step 2.

8 Annex 0 Example of the application of COBIT s Mapping, applied to the enterprise goals of the financial area: The following formula was then applied throughout the matrix: Annex Results from the exercise described in Annex 0. Overall total impact is the sum of all the enterprise goals influence in the BSC s four areas. According to previous studies, the optimal number of control objectives to be between 0 and 5. (Gerke, 2006), (Al Omari, 202) (Huissoud, 2005). Given that there is a map in COBIT5 which enables to relate each control objective form previous versions of COBIT to a process in COBIT5, it would be possible to make a valid comparison between both. As such, the top 8 most influential processes were selected. ote on the fact that the great majority of the processes with the highest level of influence on enterprise goals is also present in the top 5 of the processes with higher influence in the enterprise goals of the financial area, except from APO0, EDM03, and APO2, which

9 were then included in the final list of processes with more influence, resulting in a list of 8 processes: Process Overal Impact - Financial APO0 9,25 EDM0 9 MEA0 8,5 EDM02 7,5 BAI02 7,25 APO02 6,75 APO08 6,75 DSS04 6,25 APO07 6 APO03 5,75 EDM03 5,5 APO 5,5 APO2 5,5 BAI06 5,25 APO0 5 Process Overal Total Impact APO0 58,75 EDM0 56,75 MEA0 56 EDM02 55,25 APO02 55 APO08 54,75 BAI02 54,75 APO03 52,25 DSS04 50,25 APO07 49,75 BAI0 47,75 EDM04 47,5 APO 47,5 BAI06 46 APO05 45,75 Top 8 Processes Overall Total impact APO0 58,75 EDM0 56,75 MEA0 56 EDM02 55,25 APO02 55 APO08 54,75 BAI02 54,75 APO03 52,25 DSS04 50,25 APO07 49,75 BAI0 47,75 EDM04 47,5 APO 47,5 BAI06 46 APO05 45,75 APO0 45 EDM03 43,25 APO2 4,5 Annex 2 Results from the test made to Hypothesis, where no correlation was found between the inputs maturity level and the capability level of the outputs.

10 Annex 3 Examples of how the determination of the performance levels of the activities within processes was made. The Activities description is retrieved from COBIT5. EDM0.0 (capability of 0) Activities Rate. Analyse and identify the internal and external environmental factors (legal, regulatory and contractual obligations), 0 and trends in the business environment that may influence governance design. 2. Determine the significance of IT and its role with respect to the business Consider external regulations, laws and contractual obligations and determine how they should be applied 0 within the governance of enterprise IT. 4. Align the ethical use and processing of information and its impact on society, natural environment, and internal 0 and external stakeholder interests with the enterprise s direction, goals and objectives Determine the implications of the overall enterprise control environment with regard to IT. 6. Articulate principles that will guide the design of governance and decision making of IT Understand the enterprise s decision-making culture and determine the optimal decision-making model for IT Determine the appropriate levels of authority delegation, including threshold rules, for IT decisions. 0 APO02.06 (with capability of 3) Activities Rate. Develop and maintain a network for endorsing, supporting and driving the IT strategy Develop a communication plan covering the required messages, target audiences, communication mechanisms/channels and schedules. 3. Prepare a communication package that delivers the plan effectively using available media and technologies. 4. Obtain feedback and update the communication plan and delivery as required. APO0.07 (with capability of five) Activities Rate. Identify business-critical processes based on performance and conformance drivers and related risk. Assess process capability and identify improvement targets. Analyse gaps in process capability and control. Identify options for improvement and redesign of the process. Prioritise initiatives for process improvement based on potential benefits/costs 2. Implement agreed-on improvements, operate as normal business practice, and set performance goals and metrics to enable monitoring of process improvements. 3. Consider ways to improve efficiency and effectiveness (e.g., through training, documentation, standardisation and automation of the process). 4. Apply quality management practices to update the process. 5. Retire outdated processes, process components or enablers.. Create transactions by authorised individuals following established procedures, including, where appropriate, adequate segregation of duties regarding the origination and approval of these transactions. 2. Authenticate the originator of transactions and verify that he/she has the authority to originate the transaction Input transactions in a timely manner. Verify that transactions are accurate, complete and valid. Validate input data and edit or, where applicable, send back for correction as close to the point of origination as possible. 4. Correct and resubmit data that were erroneously input without compromising original transaction authorisation levels. Where appropriate for reconstruction, retain original source documents for the appropriate amount of time. 5. Maintain the integrity and validity of data throughout the processing cycle. Ensure that detection of erroneous transactions does not disrupt processing of valid transactions. 6. Maintain the integrity of data during unexpected interruptions in business processing and confirm data integrity after processing failures. DSS06.02 (with capability of 3) Activities 7. Handle output in an authorised manner, deliver to the appropriate recipient and protect the information during transmission. Verify the accuracy and completeness of the output. 8. Before passing transaction data between internal applications and business/operational functions (inside or outside the enterprise), check for proper addressing, authenticity of origin and integrity of content. Maintain authenticity and integrity during transmission or transport Rate 0 0,5

11 Annex 4 Results from the testing of hypothesis 3. The ature of the roles which has more responsibilities assigned is highlighted in grey. Capabilities of 0 and Capabilities of 2 and 3 Capabilities of 4 and 5 Management/ Governance Roles IT Roles Management/ Governance Roles IT Roles Management/ Governance Roles IT Roles A R C I